I am doing an analysis of special cases of UB, for the purpose of learning about security leaks via exploits of buffer overflows.
I have trouble understanding the result of an experiment wiht intentionally proked UB. Where I believe that the overflow of a buffer (which lies between another buffer and my detector variable) overfwrites both, the other buffer and the detector.
In short: What could be the reason for the value 49 of the variable 'value' after
strcpy(buffer_two, argv[1]);
In this code:
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]){
int value = 5;
char buffer_one[8];
char buffer_two[8];
strcpy(buffer_one, "one");
strcpy(buffer_two, "two");
printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value);
printf("\n[STRCPY] copying %d bytes into buffer_two\n\n", strlen(argv[1]));
strcpy(buffer_two, argv[1]); /* Copy first argument into buffer_two. */
printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value);
}
Result:
./overflow_example AAAAAAAAAAAAAAAA1
[BEFORE] buffer_two is at 0xbff2db0c and contains 'two'
[BEFORE] buffer_one is at 0xbff2db14 and contains 'one'
[BEFORE] value is at 0xbff2db1c and is 5 (0x00000005)
[STRCPY copying 17 bytes into buffer_two
[AFTER] buffer_two is at 0xbff2db0c and contains 'AAAAAAAAAAAAAAAA1'
[AFTER] buffer_one is at 0xbff2db14 and contains 'AAAAAAAA1'
[AFTER] value is at 0xbff2db1c and is 49 (0x00000031)
the stack of memory go up. It mean we override the value of buffer_one. But i don't know why value of 'value' was effected
In your exploit experiment you seem to have lost track of the order of buffers and variable.
Your output (together with variable declarations in the code) clearly shows:
(Size of value is guess, but irrelevant, assuming it has the LSB on lowest byte address.)
When buffer_two overflows by 9 bytes, it will fill buffer_one completely, first byte of value with '1' == 49 and second byte of value with 0.
To repeat, all of that is, strictly speaking, UB and therefor wild guessing. But that is the normal environment of exploits, which you are probably aware of.
User contributions licensed under CC BY-SA 3.0